Setup an FTP-server with quotas on RHEL or CentOS 6 or 7 with proftpd

Using FTP actually should be avoided whenever that’s possible but sometimes it’s just the most handy and convenient way of transferring files. In most cases, your FTP-users will be able to upload files to the FTP-server. To avoid that some users would fill up the complete machine, you can use quotas. In this post, I’ll describe how to setup a basic proftpd FTP-server with quotas on RHEL or CentOS 6 and 7.

Suprisingly, there isn’t a lot of documentation to find on how to setup proftpd with quotas on CentOS or RHEL. The documentation that I found was mainly for LDAP or MySQL integration and while that’s a good idea, I was looking for something more simple, using a simple file containing the quotas for the users.

The steps in this post are fairly equal for el6 and el7 installations so I’ll only point out version-specific actions. If nothing’s written, it means that an action can be executed fine on both RHEL/CentOS 6 and RHEL/CentOS 7.

Install proftpd

The first thing to do is to install the proftpd package from the repositories. The package can be found in the EPEL repository. To be able to use the EPEL-repository, we need to make it available first:

Now that we have access to packages in the EPEL repository, we can go ahead and install proftpd itself. To be able to test the ftp-server on the same machine, let’s also install the cli ftp-client:

At the time of writing, for CentOS 7, the latest version was: 1.3.5-2 and for CentOS 6, the latest version was: 1.3.3g-4. Because of the difference in versions, there are some differences regarding quota configuration but more about that later.

Firewall and SELinux

Before we will start with the actual configuration, we need to allow FTP to pass trough our firewall and trough SELinux.

By default, iptables will block incoming connections so we need to open up TCP port 21 to allow incoming FTP-connections. Because we would like to support passive FTP, since most FTP-clients use that by default, we’ll also need to load the ip_conntrack_ftp kernel module for iptables.

For RHEL 6 or CentOS 6:

On el6, we need to configure iptables directly:

Add the ip_conntrack_ftp module in /etc/sysconfig/iptables-config:

Open up TCP port 21 for incoming traffic, save the rules and restart iptables to load the kernel module:

FOR RHEL 7 OR CENTOS 7:

On el7 we can use firewalld to make things a little simpler:

To make sure that the conntrack_ftp module is loaded, let’s check which kernel modules are loaded (on both el6 and el7):


Be default, SELinux won’t allow the FTP-users to write to their home directory which would immediately take away the need to set up a quota :) Let’s allow read and write access for the ftp-users to their home directory by setting SELinux boolean ftp_home_dir to 1:

Basic proftpd configuration

To get familiar with proftpd and it’s configuration file, let’s start with a basic FTP-server configuration so we can be sure that our FTP-server works fine before we start with quotas.

The configuration of proftpd is done in /etc/proftpd.conf. Change the configuration file to have something like this. I removed commented lines to prevent the page to be too long but it’s a good idea to keep them in your file.

Most of the configuration in the file is standard. The only real change is the denial of all users and to allow only users that are in the group ftp. Be default, all users are allowed to connect to the FTP-server, except the ones listed in /etc/ftpusers.

After the change in the configuration, to allow my own user (or any other existing user) to have access to FTP, I need to add it to the group ftp:

To create a new user that will only be used for FTP:

All preparation for the FTP-server should be done so it’s time to start the service and test it.

For RHEL 6 or CentOS 6:

For RHEL 7 or CentOS 7:

In case you would get an error that contains something like this:

Then, make sure that your system can resolve it’s own hostname by adding it to the /etc/hosts file:

Once the server is started, it’s time to test the connection and see if we can upload a file. To keep things visible and easy to follow, I used the cli ftp-client but you can use any client (like Filezilla) to test the connection.

Configuration with quotas

Now that we’ve got a working FTP-server, let’s add a quota for the FTP-users. Change the configuration file in /etc/proftpd.conf to include some quota configuration:

As you can see, only the last lines were added. These lines load the modules that will be responsible for watching and enforcing the quotas and on line 55, we configure that every user will have a default quota of 5MB (5*1024*1024).

FOR RHEL 6 OR CENTOS 6:

Comment out line 55 in the above file and add quotas for every user with FTP-access (see further).

Before we can reload the configuration, we need to initialize the limit table and tally table that we mentioned in our configuration file. This needs to be done with the ftpquota script. Unfortunately, for el6, this script isn’t in any standard package so you’ll have to install it manually.

FOR RHEL 6 OR CENTOS 6:

Download the script here: http://jensd.be/download/ftpquota and install it as follows:

FOR RHEL 7 OR CENTOS 7:

Install the proftpd-utils package, it contains the script:

After installing the ftpquota-script, use it to create the location for the tables and to initialize them:

In case you don’t want tot use the default quota (defined on line 55 in the configuration file), you can manually add a different quota for every user. This is mandatory on RHEL 6 or CentOS 6. For example to set a quota of 10MB on user jensd:

To let our changes take effect, we need to restart the FTP-server:

FOR RHEL 6 OR CENTOS 6:

FOR RHEL 7 OR CENTOS 7:

To test the quota, let’s create a file of 2MB to be uploaded:

Now let’s test the FTP again and see if we’re limited in quota:

As you can see, the last file, test4, didn’t get uploaded since that would get the total used space higher that our quota. The transfer log shows the following message to make this clear to the user: 552 Transfer aborted. Disk quota exceeded.

On the server itself we can monitor the quotas from the logfile in /var/log/proftpd/quota.log (as we definded in our configuration file):

As you can see, it’s rather simple and easy to set up quotas for your FTP-server.

3 thoughts on “Setup an FTP-server with quotas on RHEL or CentOS 6 or 7 with proftpd

  1. i have a problem with quota, in quota log i get this: mai 01 15:39:37 mod_quotatab/1.3.0[3739]: error: unable to open QuotaTallyTable: Opération non permise
    mai 01 15:39:46 mod_quotatab/1.3.0[3739]: turning QuotaEngine off

    do you know how to repair this problem?
    thanks

    • Did you create the tables with ftpquota?
      You could check the permsisions on /etc/proftpd/ftpquota.*

      Also, check if SELinux isn’t causing you troubles. The easies way to test it, is to turn it of temporarily (setenforce 0) and check for messages with AVC in /var/log/audit/audit.log

Leave a Reply

Your email address will not be published. Required fields are marked *